Am 25.05.2015 um 15:44 schrieb Rémy Maucherat:
2015-05-24 15:34 GMT+02:00 Rainer Jung <rainer.j...@kippdata.de>:
I need to add some info to the tcnative docs concerning using a native SSL
connector and I'm quite uncertain where to add it. It will roughly be:
Starting with version 1.1.34 of the APR/native connector, the strength of
ephemeral keys for DH ciphers are by default chosen depending on the key
size used for the certificate. A 2048 bit certificate will result in using
a 2048 bit prime for DH. Unfortunately Java 6 only supports 768 bit and
Java 7 only support 1024. So if your certificate has a stronger key, the
new behavior will lead to handshake failures with old Java clients. In that
case you can either try to force them to use another cipher by configuring
an appropriate SSLCipherSuite and activating SSLHonorCipherOrder, or add
weak DH params to your certificate file. The latter is not recommended
because it weakens the SSL security.
Any ideas where to put this?
http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html or
http://tomcat.apache.org/tomcat-8.0-doc/config/http.html probably, right ?
Ideally it should be elsewhere but I doubt anyone would ever find it.
Thanks, I liked best the Howto, because it already contains a list of
known problems.
I hope people will find it searching for the client side error message.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
